Import and backport patches for CVE-2024-9681 (!37) · Merge requests · Debian / curl

Aquila Macedo requested to merge aquila/curl:debian/bookworm into debian/bookworm Nov 12, 2024

A vulnerability in curl's HSTS handling allows a subdomain’s expiry time to overwrite its parent domain’s cache entry. This can lead to unintended HTTPS upgrades or premature reversion to HTTP when both subdomains and parent domains are used. Affects applications with HSTS enabled, potentially disrupting access when a domain stops supporting HTTPS.

Import and backport patches for CVE-2024-9681

Merge request reports